Cheating has a uniquely negative connotation…record marring, grade failing, and career ending on one side, it can also be seen as positive, creative, or victorious on the other.

Two professors teaching a cyberwarfare course sought to teach creative thinking. Their method? An impossible test with the idea that students must cheat – and that not getting caught cheating was what the test was actually about.

In other words, they stole the concept of Kobayashi Maru.

Why? The introduction to their paper sums it up:

“Adversaries cheat. We don’t. In academic institutions around the world, students understand that they will be expelled if they violate their college’s honor code or otherwise fail to play by the institutional rules. The dissonance between how our adversaries operate and how we teach our students puts our students at a distinct disadvantage when faced with real world adversaries who inevitably do not play by the rules. Breaking through the paradigm where students self- censor their ways of thinking to a new paradigm that cultivates an effective adversary mindset is both necessary and possible.”

The paper itself details the methods and manner each student used. And in each case the student exploited a loophole in the teacher’s rule set.
Sometimes the phrase “Red Team” or “Red Cell” is used to describe those who are designated to exploit our potential weaknesses. I prefer the term “Devil’s Advocate” – the Catholic concept of bringing evidence against canonization of a Saint. Why? Because the Devil’s Advocate can’t just say “well, what if?”. The Devil’s Advocate must make his case. He must be able to actualize his contention.Too many Red Teams just say “what if” and walk away. Their concept or challenge must not be realistic, achievable, or anything other than a wrench in the machine, and that is not creative thinking – it’s is disruptive, destructive, and dangerous because it does nothing but cause trouble. It does not seek to exploit or identify a loophole.

The paper’s conclusion…

“Teach yourself and your students to cheat. We’ve always been taught to color inside the lines, stick to the rules, and never, ever, cheat. In seeking cyber security, we must drop that mindset. It is difficult to defeat a creative and determined adversary who must find only a single flaw among myriad defensive measures to be successful. We must not tie our hands, and our intellects, at the same time. If we truly wish to create the best possible information security professionals, being able to think like an adversary is an essential skill. Cheating exercises provide long term remembrance, teach students how to effectively evaluate a system, and motivate them to think imaginatively. Cheating will challenge students’ assumptions about security and the trust models they envision. Some will find the process uncomfortable. That is OK and by design. For it is only by learning the thought processes of our adversaries that we can hope to unleash the creative thinking needed to build the best secure systems, become effective at red teaming and penetration testing, defend against attacks, and conduct ethical hacking activities.”

The final kicker? This was done at the US Military Academy…

As a military we prize conformity. And that conformity in the main is a good thing. But we also need people who are capable of thinking – and actualizing – “what if”. What if we loaded up our carriers with airplanes and launched from maximum range on a Sunday morning? What if we hijacked and piloted fuel laden commercial jets into office buildings? What if we designed a computer virus geared to do one thing and one thing only? What if we use runners for messages and small speedboats to attack the carriers?

Not “What if someone took over a LNG tanker and blew it up” without describing the how, what, why, and physics behind it.

The paper is a quick read. Take a look. Then think about how you can teach your people to think creatively for the betterment of the next operation, next mission, next maintenance, next training. But make them do so in a manner that is achievable. Make them “cheat” – and not get caught.

(h/t Bruce Schneier)




Posted by M. Ittleschmerz in Uncategorized


You can leave a response, or trackback from your own site.

  • http://www.cimsec.org M.Hipple

    The sad thing is folks spend so much time doing this already, but against the massive administrative wickets required to accomplish simple tasks. Imagine if we switched that time and effort to healthier contemplations of meeting with the enemy.

  • UltimaRatioReg

    A good read. Some excellent points made.

    A couple of observations:

    Professional and quality Red Teams are not simply “gotcha” people who act randomly, however random those acts may seem to Blue. A Devil’s Advocate is useful in the friendly planning process, but a thorough Red Team engagement is crucial.

    Much more valuable than a “Red Team” that simply disrupts, is a Red Team that disrupts for a reason. Those who can look at a “Blue” course of action, find the seams and vulnerabilities, and exploit them for a purpose pursuant to an objective give us the best look at ourselves.

    General van Riper didn’t simply dream up using small boat swarm tactics, he used them in some measure because our likely adversary in the region had been contemplating that tactic as an exploit of what they believed to be our vulnerability in close (and reluctance to engage).

    Our Red Teaming skills have badly atrophied as a direct result of our institutional unwillingness to have an unvarnished look at our own TTPs and planning assumptions, and our failure to build and foster “disruptive thinking”. Which, in turn, causes even less well-grounded assumptions to be made and built upon, and a tactical “house of cards” erected.

    The issue with “cyber” (I hate that word) is that those who do act disruptively do so oftentimes outside the law. The so-called “Black Hats” have no compunction about crossing the line; however, they don’t have official government sponsorship to do so. They also have a level of technical knowledge and design expertise that is largely unattainable for someone who is to do all the other things that are required of military service.

    Which is why government regulation of the internet will be such a boon for hackers. They look at a set of rules and immediately begin working ways to exploit and subvert, while the rest look at how to comply.

  • Dee

    “The so-called “Black Hats” have no compunction about crossing the line; however, they don’t have official government sponsorship to do so. They also have a level of technical knowledge and design expertise that is largely unattainable for someone who is to do all the other things that are required of military service.”

    There is some speculation that the line of demarcation between “official government sponsorship” in some nations that we compete with on global trade and a narrative of the construct of the future is not as clear cut as it is here at home; where ‘students’ might in actuality be sponsored state actors or non-uniformed military.

    I was reading at Information Dissemination that “security” is now as mandatory as English 101 at the USNA. I’m glad to hear people thinking outside of the box, or pursuing an objective to the letter of law and “up until the echo of the blowing of the whistle” (to use a sports term) the spirit of the law.

    That all said: I still bought a generator and installed a transfer switch and use cash bonus dollars to put aside minimal amounts of Wise Foods.

    I’m encouraged that people are addressing the issue. I’m a creature of comfort and take allot for granted and want to continue doing so. My selfish two cents

  • UltimaRatioReg

    Dee,

    We are quite certain that other governments officially sanction, in fact promote and operate, entities whose mission is to penetrate and disrupt US critical information systems and infrastructure. They do so often under the guise of industrial espionage, as well as other avenues. But given that the majority of those who engage in commerce with the US are state-controlled entities in those nations, it is increasingly difficult to distinguish between the two.

  • Dee

    I know what you say to be the truth, however making that naked assertion as a fact is politically rude when I think the larger goal is cooperation and a shared future, nonetheless have generator and minimal Wise food. We live in a world of a “new epistemology” where some long held assumptions and categorical statements are tempered with an inability in “proof” from traditional “epistemology” there is cause and effect. It would be nice if there was a way to determine in all cases where a information security threat actually arises from and or originates so I’ll leave that to closed door analysis.

    I’m not an expert in this area however sufficiently cognizant of this topic as a real challenge. Put into perspective I saw a video way back about a generator spinning apart, a sort of dramatization video and poo-poo’d it. Without embellishment I do now own a personal backup generator.

  • UltimaRatioReg

    Dee,

    Not to burst your bubble, but those who would disrupt our critical infrastructure are not interested in sharing any future. Whatever the current epistemology happens to be.

  • http://blog.usni.org M. Ittleschmerz

    Gents…believe it or not, this post is not about “cyber” or government sponsorship of anything. Hipple gets it.

  • UltimaRatioReg

    Maybe you missed my other comments above.

  • http://blog.usni.org M. Ittleschmerz

    No, I didn’t miss your original comment.

    The first part is good, the commentary on General Van Riper shows that you did read the post and check out the links. Then you devolve to cyber, Dee picks it up and we wind up here.

    That a fair summation?

  • UltimaRatioReg

    Not entirely. The paper you cite is regarding the development of the hacker mentality. So “cyber” (phoo!) is not entirely unrelated.

    I didn’t need to read the link about the Ripper and Millenium Challenge. Remember it well. And have talked with him a couple of times about it.

    I wish Sal would have a whole show about it over on MR. But hey, I dunno nuthin’, I just work here.

  • Diogenes of NJ

    I thought the whole thing was about what happens to you on your first liberty in a foreign port – Po city I believe.

    – Kyon

  • UltimaRatioReg

    The entire rest of your life is really about that, innit? :)

  • UltimaRatioReg

    Good post, though, and points to the dichotomy between an organization that succeeds in the macro because of conformity, which has requirements in certain areas of non-conformity.

    How that is rectified can determine whether a force becomes the French Army of 1940 or the German Army of 1940.

  • http://www.garlic.com/~lynn/ Lynn Wheeler

    It is not clear where such students are from. There have been lots of discussions about students in graduate cybersecurity programs spending all their time trying to find the next exploit … garnering them peer-points … and it very difficult to motivate/interest them in designing/building secure systems that preclude exploits. Given, it is useful to know something about attacking when designing defensive systems … but can’t spend all the time attacking … and not spend any time on design of exploit countermeasures.

  • Dee

    Let me speak clearly for myself: the CCP has long underwritten cyber attacks against US infrastructure via proxy students who are in effect non-uniformed military. Ok I make an assertion and from an epistemological standpoint when challenged by a devils advocate to substantiate that assertion I’m on a slippery slope of proof. I make the above initial assertion on widely published empirical proof. And in closing: I’m comfortable with the US military academies instituting a formal curriculum to do the same and to encourage engaging in the activity at the same level of our “competitors.” General Van Riper has nothing to do with these observations and opinions which are mine personally.

  • Dee

    Whatever the current epistemology happens to be….. hmmm.. staying a step away from being using another as the lurid and insidious example and conceding that the post is disruptive: If my honeypot, logs, and computer monitor starts flashing a message: “you Dee are an azzhat” it remains a proposition not necessarily true or false. Future leaders will have to make a call, some good, some bad, some made in ignorance and always in a realization that they are doing so with assumptions.

  • Grandpa Bluewater

    There is no cheating in tactics. The concept “cheating” has no meaning, the point is to kill the enemy or convince him his only hope of survival is to surrender immediately.

    Terror tactics are not cheating, they are counter productive. Kind of like ignoring a flag of truce. It’s all about maintaining deterrence.

  • W.M. Truesdell

    “Grandpa Bluewater Says:

    There is no cheating in tactics.”

    But there is adherence to a mind set that is based on rules of combat.

    Nelson recognized that and “cheated” at the Battle of the Nile.

    The greater problem is “Fear of Failure” and what happens to you if you stray from the rules of the day.

    In essence you cheated and deserve punishment, which I think is the point of the article. Cheat and you have no argument for failure, which is why you have to succeed. Otherwise look forward to a GCM.

    If you look back in history at those leaders who “cheated” and won on a grand scale, there were still those who thought them wrong for doing it. Even James Kirk was brought before a Star Fleet Board to be chastised for cheating. Fortunately for the Universe (and even more so, the franchise), they never got that far.

    W.M. Truesdell

  • GIMP

    The only real lines that cannot be crossed in conflict are those of the physically (or electronically) impossible.

    If it can be done, and provides a perceived advantage, it will be.

    Laws of war exist largely so that Europeans could share the same space after their wars. They are how we choose to limit ourselves.

    Our thinking about confict; from bloodless diplomacy to total annihilation, needs to be bounded only by the physically possible. Law, convention, and morality have a place in this world, but not not to everyone and not necessarily in a struggle for survival.

    Failing to grasp the full range of possible actions because they are outside the rules, conventions, and morality we hold in high esteem is deadly foolishness.

    It’s good to see someone teaching our next generation of young leaders to open their minds to the full range of possibilities.

2014 Information Domination Essay Contest